Mac-Based auth and HP chap

jehan procaccia jehan.procaccia at it-sudparis.eu
Wed Apr 29 19:11:35 CEST 2009


Alan DeKok wrote:
> jehan procaccia wrote:
>   
>> hello,
>> I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my
>> HP procurve2650 to do Mac-based radius auth.
>> for this I've setup a simple users file
>>
>> 005004B7252E    Auth-Type := Local, Cleartext-Password := "005004B7252E"
>>     
>
>   Delete the "Auth-Type := Local".  It doesn't do anything useful.
>   
OK done
>> First ,it isn't clear to me wether to user Cleartext-Password or
>> User-Password and == ou := , and "" or no "" around the password ...!? ,
>> anyway, with Cleartext-Password it works fine with radtest at least
>>     
>
>   The example in the FAQ and in the "users" file do NOT have Auth-Type.
> They DO use Cleartext-Password, and they DO use ":=".
>
>   All of the third-party web sites, FAQs, etc. are 2-3 years out of
> date, and are wrong.
>   
Indeed I was "googleling" for exemples ...
>   
>> [chap] login attempt by "005004B7252E" with CHAP password
>> [chap] Cleartext-Password is required for authentication
>>     
>
>   That says it doesn't have the Cleartext-Password.
>
> ...
>   
>> [files] users: Matched entry DEFAULT at line 172
>>     
>
>   So... what's at line 172?  Where is the "users" file entry you added?
>   
line 172 was
DEFAULT Framed-Protocol == PPP

I moved Up my user entry at the top of the user files and now it seems 
to work :-)
Athough I didn't set any chap password anywhere in freeradius !?
(perhaps because of this from http://wiki.freeradius.org/HP
/Note: A hashed version of the SRC address is also available in the 
CHAP-Password attribute.) ?/

rad_recv: Access-Request packet from host 157.159.7.138 port 1125, 
id=13, length=195
        Framed-MTU = 1480
        NAS-IP-Address = 157.159.7.138
        NAS-Identifier = "Sw-C01"
        User-Name = "005004B7252E"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 26
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "26"
        Called-Station-Id = "00-1c-2e-b4-f2-66"
        Calling-Station-Id = "00-50-04-b7-25-2e"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        CHAP-Password = 0x0ccbeba82a75e0762efbf021c72bd5c45a
        Message-Authenticator = 0x3eae4885821478bc7bbcf7e45618c453
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/157.159.7.138/auth-detail-20090429
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/157.159.7.138/auth-detail-20090429
[auth_log]      expand: %t -> Wed Apr 29 19:05:06 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 005004B7252E at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Using clear text password "005004B7252E" for user 005004B7252E 
authentication.
[chap] chap user 005004B7252E authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 13 to 157.159.7.138 port 1125
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "15"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 13 with timestamp +37
Ready to process requests.

My PC client isn't is the Vlan15 though .. it's getting late here in 
france ... I'll continue tomorrow ...
thanks .

>   The FAQ says to add it at the TOP of the "users" file.  That works
> best for testing.
>
>   Alan DeKok.
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090429/f74a43f8/attachment.html>


More information about the Freeradius-Users mailing list